System and method for creation, deployment and management of augmented attacker map

ABSTRACT

A network surveillance system including a deception management server within a network, including a deployment module managing and planting decoy attack vectors in network resources, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource, and decoy servers accessible from resources in the network via decoy attack vectors, each decoy server including a forensic alert module causing a real-time forensic application to be transmitted to a destination resource in the network when the decoy server is being accessed by a specific resource in the network via a decoy attack vector, wherein the forensic application, when launched in the destination resource, identifies a process running within the specific resource that is accessing that decoy server, logs the activities performed by the thus-identified process in a forensic report, and transmits the forensic report to the deception management server.

CROSS REFERENCES TO RELATED APPLICATIONS

This application is a non-provisional of U.S. Provisional ApplicationNo. 62/172,251, entitled SYSTEM AND METHOD FOR CREATION, DEPLOYMENT ANDMANAGEMENT OF AUGMENTED ATTACKER MAP, and filed on Jun. 8, 2015 byinventors Shlomo Touboul, Hanan Levin, Stephane Roubach, Assaf Mischari,Itai Ben David, Itay Avraham, Adi Ozer, Chen Kazaz, Ofer Israeli, OlgaVingurt, Liad Gareh, Israel Grimberg, Cobby Cohen and Sharon Sultan, thecontents of which are hereby incorporated herein in their entirety.

This application is a non-provisional of U.S. Provisional ApplicationNo. 62/172,253, entitled SYSTEM AND METHOD FOR MULTI-LEVEL DECEPTIONMANAGEMENT AND DECEPTION SYSTEM FOR MALICIOUS ACTIONS IN A COMPUTERNETWORK, and filed on Jun. 8, 2015 by inventors Shlomo Touboul, HananLevin, Stephane Roubach, Assaf Mischari, Itai Ben David, Itay Avraham,Adi Ozer, Chen Kazaz, Ofer Israeli, Olga Vingurt, Liad Gareh, IsraelGrimberg, Cobby Cohen and Sharon Sultan, the contents of which arehereby incorporated herein in their entirety.

This application is a non-provisional of U.S. Provisional ApplicationNo. 62/172,255, entitled METHODS AND SYSTEMS TO DETECT, PREDICT AND/ORPREVENT AN ATTACKER'S NEXT ACTION IN A COMPROMISED NETWORK, and filed onJun. 8, 2015 by inventors Shlomo Touboul, Hanan Levin, Stephane Roubach,Assaf Mischari, Itai Ben David, Itay Avraham, Adi Ozer, Chen Kazaz, OferIsraeli, Olga Vingurt, Liad Gareh, Israel Grimberg, Cobby Cohen andSharon Sultan, the contents of which are hereby incorporated herein intheir entirety.

This application is a non-provisional of U.S. Provisional ApplicationNo. 62/172,259, entitled MANAGING DYNAMIC DECEPTIVE ENVIRONMENTS, andfiled on Jun. 8, 2015 by inventors Shlomo Touboul, Hanan Levin, StephaneRoubach, Assaf Mischari, Itai Ben David, Itay Avraham, Adi Ozer, ChenKazaz, Ofer Israeli, Olga Vingurt, Liad Gareh, Israel Grimberg, CobbyCohen and Sharon Sultan, the contents of which are hereby incorporatedherein in their entirety.

This application is a non-provisional of U.S. Provisional ApplicationNo. 62/172,261, entitled SYSTEMS AND METHODS FOR AUTOMATICALLYGENERATING NETWORK ENTITY GROUPS BASED ON ATTACK PARAMETERS AND/ORASSIGNMENT OF AUTOMATICALLY GENERATED SECURITY POLICIES, and filed onJun. 8, 2015 by inventors Shlomo Touboul, Hanan Levin, Stephane Roubach,Assaf Mischari, Itai Ben David, Itay Avraham, Adi Ozer, Chen Kazaz, OferIsraeli, Olga Vingurt, Liad Gareh, Israel Grimberg, Cobby Cohen andSharon Sultan, the contents of which are hereby incorporated herein intheir entirety

FIELD OF THE INVENTION

The present invention relates to computer security, and in particular tocomputer network surveillance.

BACKGROUND OF THE INVENTION

Reference is made to FIG. 1, which is a simplified diagram of a priorart enterprise network 100 connected to an external internet 10. Network100 is shown generally with resources including computers 110, databases120, switches and routers 130, and mobile devices 140 such as smartphones and tablets, for ease of presentation, although it will beappreciated by those skilled in the art that enterprise networks todayare generally much more complex and include other devices such asprinters, other types of network elements such as relays, and anyInternet of Things objects. The various connections shown in FIG. 1 maybe direct or indirect, wired or wireless communications, or acombination of wired and wireless connections. Computers 110 anddatabases 120 may be physical elements or logical elements, or a mix ofphysical and logical elements. Computers 110 and databases 120 may bevirtual machines. Computer 110 and databases 120 may be local, remote orcloud-based elements, or a mix of local, remote and cloud-basedelements. Computers 110 may be client workstation computers, or servercomputers including inter alia file transfer protocol (FTP) servers,email servers, structured query language (SQL) servers, secure shell(SSH) servers and other application servers, or a mix of client andserver computers. A corporate information technology (IT) departmentmanages and controls network 100 in order to serve the corporaterequirements and meet the corporate needs.

Access to computers 110 and servers 120 in network 100 may optionally begoverned by an access governor 150, such as a directory service, thatauthorizes users to access computers 110 and databases 120 based on“credentials”. Access governor 150 may be a name directory, such asACTIVE DIRECTORY® developed by Microsoft Corporation of Redmond, Wash.,for WINDOWS® environments. Background information about ACTIVEDIRECTORY® is available at Wikipedia. Other access governors for WINDOWSand non-WINDOWS environments, include inter alia Lightweight DirectoryAccess Protocol (LDAP), Remote Authentication Dial-In User Service(RADIUS), and Apple Filing Protocol (AFP), formerly APPLETALK®,developed by Apple Inc. of Cupertino, Calif. Background informationabout LDAP, RADIUS and AFP is available at Wikipedia.

Access governor 150 may be one or more local machine access controllers.Access governor 150 may be one or more authorization servers, such as adatabase server or an application server.

In lieu of access governor 150, the endpoints and/or servers of network100 determine their local access rights.

Credentials for accessing computers 110 and databases 120 include interalia server account credentials such as <address> <username> <password>for an FTP server, an SQL server, or an SSH server. Credentials foraccessing computers 110 and databases 120 also include user logincredentials <username> <password>, or <username> <ticket>, where“ticket” is an authentication ticket, such as a ticket for the Kerberosauthentication protocol or NTLM hash used by Microsoft Corp., or logincredentials via certificates or via another implementation used today orin the future. Background information about the Kerberos protocol andthe LM hash is available at Wikipedia.

Access governor 150 may maintain a directory of computers 110, databases120 and their users. Access governor 150 authorizes users and computers,assigns and enforces security policies, and installs and updatessoftware. When a user logs into a computer 110, access governor 150checks the submitted password, and determines if the user is anadministrator (admin), a normal user (user) or other user type.

Computers 110 may run a local or remote security service, which is anoperating system process that verifies users logging in to computers andother single sign-on systems and other credential storage systems.

Network 100 may include a security information and event management(SIEM) server 160, which provides real-time analysis of security alertsgenerated by network hardware and applications. Background informationabout SIEM is available at Wikipedia.

Network 100 may include a domain name system (DNS) server 170, or suchother name service system, for translating domain names to IP addresses.Background information about DNS is available at Wikipedia.

Network 100 may include a firewall 180 located within a demilitarizedzone (DMZ), which is a gateway between enterprise network 100 andexternal internet 10. Firewall 180 controls incoming and outgoingtraffic for network 100. Background information about firewalls and DMZis available at Wikipedia.

One of the most prominent threats that organizations face is a targetedattack; i.e., an individual or group of individuals that attacks theorganization for a specific purpose, such as stealing data, using dataand systems, modifying data and systems, and sabotaging data andsystems. Targeted attacks are carried out in multiple stages, typicallyincluding inter alia reconnaissance, penetration, lateral movement andpayload. Lateral movement involves orientation, movement andpropagation, and includes establishing a foothold within theorganization and expanding that foothold to additional systems withinthe organization.

In order to carry out the lateral movement stage, an attacker, whether ahuman being who is operating tools within the organization's network, ora tool with “learning” capabilities, learns information about theenvironment it is operating in, such as network topology andorganization structure, learns “where can I go from my current step” and“how can I go from my current step (privileged required)”, and learnsimplemented security solutions, and then operates in accordance withthat data. One method to defend against such attacks, termed“honeypots”, is to plant and monitor misleading information/decoys/bait,with the objective of the attacker learning of their existence and thenconsuming those bait resources, and to notify an administrator of themalicious activity. Background information about honeypots is availableat Wikipedia.

Conventional honeypot systems operate by monitoring access to asupervised element in a computer network. Access monitoring generatesmany false alerts, caused by non-malicious access from automaticmonitoring systems and by user mistakes. Conventional systems try tomitigate this problem by adding a level of interactivity to thehoneypot, and by performing behavioral analysis of suspected malware ifit has infected the honeypot itself.

An advanced attacker may use different attack techniques to enter acorporate network and to move laterally within the network in order toobtain its resource goals. The advanced attacker may begin with aworkstation, server or any other network entity to start his lateralmovement. He uses different methods to enter the first network node,including inter alia social engineering, existing exploit and/orvulnerability that he knows to exercise, and a Trojan horse or any othermalware allowing him to control the first node.

Reference is made to FIG. 2, which is a simplified diagram of enterprisenetwork 100 with attack vectors of an attacker at an early stage oflateral movement. Once an attacker has taken control of a first node ina corporate network, he uses different advance attack techniques fororientation and propagation and discovery of additional ways to reachother network nodes in the corporate network. Attacker movement fromnode to node is performed via an “attack vector”, which is an object inmemory or storage of a first computer that may be used to access asecond computer.

Exemplary attack vectors include inter alia credentials of users withenhanced privileges, existing share names on different servers, anddetails of an FTP server, an email server, an SQL server or an SSHserver and its credentials. Attack vectors are often available to anattacker because a user did not logoff his workstation or clear hiscache. E.g., if a user contacted a help desk and gave the help deskremote access to his workstation and did not logoff his workstation,then the help desk access credentials may still be stored in the user'slocal cache and available to the attacker. Similarly, if the useraccessed an FTP server, then the FTP account login parameters may bestored in the user's local cache or profile and available to theattacker.

Attack vectors enable inter alia a move from workstation A→server Bbased on a shared name and its credentials, connection to a differentworkstation using local admin credentials that reside on a currentworkstation, and connection to an FTP server using specific accesscredentials.

Reference is made to FIG. 3, which is a simplified diagram of enterprisenetwork 100 with attack paths of an attacker at a later stage of lateralmovement. Whereas IT “sees” the logical and physical network topology,an attacker that lands on the first network node “sees” attack vectorsthat depart from that node and move laterally to other nodes. Theattacker can move to such nodes and then follow “attack paths” bysuccessively discovering attack vectors from node to node.

When the attacker implements such a discovery process on all nodes inthe network, he will be able to “see” all attack vectors of thecorporate network and generate a “maximal attack map”. Before theattacker discovers all attack vectors on network nodes and completes thediscovery process, he generates a “current attack map” that is currentlyavailable to him.

An objective of the attacker is to discover an attack path that leadshim to a target network node. The target may be a bank authorized serverthat is used by the corporation for ordering bank account transfers ofmoney, it may be an FTP server that updates the image of all corporatepoints of sale, it may be a server or workstation that storesconfidential information such as source code and secret formulas of thecorporation, or it may be any other network node that is of value to theattacker and is his “attack goal node”.

When the attacker lands on the first node, but does not know how toreach the attack goal node, he generates a current attack map that leadsto the attack goal node.

SUMMARY

There is thus provided in accordance with an embodiment of the presentinvention a system for network surveillance to detect attackers,including a deception management server within a network of resources,including a deployment module managing and planting one or more decoyattack vectors in one or more of the resources in the network, whereinan attack vector is an object in memory or storage of a first resourcethat may be used to access a second resource, and one or more decoyservers accessible from resources in the network via one or more of thedecoy attack vectors planted in the resources by the deployment module,each decoy server including a forensic alert module causing a real-timeforensic application to be transmitted to a destination resource in thenetwork when the decoy server is being accessed by a specific resourcein the network via one or more of the decoy attack vectors planted inthe specific resource by the deployment module, wherein the forensicapplication, when launched in the destination resource, identifies aprocess running within the specific resource that is accessing thatdecoy server, logs the activities performed by the thus-identifiedprocess in a forensic report, and transmits the forensic report to thedeception management server.

There is additionally provided in accordance with an embodiment of thepresent invention a method of network surveillance to detect attackers,including planting one or more decoy attack vectors in one or moreresources in a network of computers, wherein an attack vector is anobject in memory or storage of a first resource that may be used toaccess a second resource, recognizing that a decoy server in the networkis being accessed by a specific resource in the network via one or moreof the decoy attack vectors planted in the specific resource by theplanting, and causing a real-time forensic application to be transmittedto a destination resource, wherein the forensic application, whenlaunched on the destination resource, is operative to identify a processrunning within the specific resource that is accessing the decoy server,log the activities performed by the thus-identified process in aforensic report, and transmit the forensic report to a deceptionmanagement server.

There is further provided in accordance with an embodiment of thepresent invention a system for network surveillance to detect attackers,the system including a deception management server within a network ofresources that is governed by an access governor that authorizes usersto access the resources in the network based on user credentials, thedeception management server including a deployment module, planting oneor more decoy user credentials in one or more of the resources in thenetwork, and a forensic alert module for causing a real-time forensicapplication to be transmitted to a destination resource in the network,in response to the access governor recognizing an attempt by a firstresource to access a second resource in the network via one or more ofthe decoy credentials planted in the first resource by the deploymentmodule, wherein the forensic application, when launched in thedestination resource, identifies a process running within the firstresource that is attempting to access the second resource, logs theactivities performed by the thus-identified process in a forensicreport, and transmits the forensic report to the deception managementserver.

There is yet further provided in accordance with an embodiment of thepresent invention a method of network surveillance to detect attackers,including planting one or more decoy user credentials in one or moreresources in a network of resources that is governed by an accessgovernor that authorizes users to access the resources in the networkbased on user credentials, recognizing an attempt by a first resource inthe network to access a second resource in the network via one or moreof the decoy user credentials planted in the first resource by theplanting, and in response to the recognizing, causing a real-timeforensic application to be transmitted to a destination resource,wherein the forensic application, when launched, is operative toidentify a process running within the first resource that is accessingthe decoy server, log the activities performed by the thus-identifiedprocess, and transmit the log to a deception management server.

There is moreover provided in accordance with an embodiment of thepresent invention a system for network surveillance to detect attackers,including a deception management server located within a network ofresources, the network being governed by an access governor thatauthorizes users to access the resources in the network based oncredentials that include a hash version of a cleartext password, thedeception management server including a deployment module, planting oneor more decoy credentials in one or more of the resources in thenetwork, and a forensic alert module causing a real-time forensicapplication to be transmitted to a destination resource in the network,in response to recognizing that a first resource in the network attemptsto access a second resource in the network using a decoy credential withits cleartext password, wherein the forensic application, when launchedin the destination computer, identifies a process running within thefirst resource that is attempting to access the second resource, logsthe activities performed by the thus-identified process in a forensicreport, and transmits the forensic report to the deception managementserver.

There is additionally provided in accordance with an embodiment of thepresent invention a method of network surveillance to detect attackers,including planting a decoy credential in a first resource, wherein acredential enables a user to access a resource via a password, andwherein the decoy credential includes a hash of a cleartext password foraccessing a second resource, recognizing that the first resourceattempts to access the second resource using the cleartext password ofthe decoy credential, and causing, in response to the recognizing, areal-time forensic application to be transmitted to a destinationcomputer, wherein the forensic application, when launched, is operativeto identify a process running within the first resource that isattempting to access the second resource, log the activities performedby the thus-identified process, and transmit the log to a deceptionmanagement server.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be more fully understood and appreciated fromthe following detailed description, taken in conjunction with thedrawings in which:

FIG. 1 is a simplified diagram of a prior art enterprise networkconnected to an external internet;

FIG. 2 is a simplified diagram of a prior art enterprise network withattack vectors of an attacker at an early stage of lateral movement;

FIG. 3 is a simplified diagram of a prior art enterprise network withattack paths of an attacker at a later stage of lateral movement;

FIG. 4 is a simplified diagram of an enterprise network with networksurveillance, in accordance with an embodiment of the present invention;

FIG. 5 is a simplified flowchart of a method for network surveillanceand notification using decoy servers, in accordance with an embodimentof the present invention;

FIG. 6 is a simplified method for network surveillance and notificationusing decoy user credentials, in accordance with an embodiment of thepresent invention; and

FIG. 7 is a simplified diagram of a method for network surveillanceusing two-factor deception, in accordance with an embodiment of thepresent invention.

For reference to the figures, the following index of elements and theirnumerals is provided. Similarly numbered elements represent elements ofthe same type, but they need not be identical elements.

Table of elements in the figures Element Description 10 Internet 100enterprise network 110 network computers 120 network databases 130network switches and routers 140 mobile devices 150 access governor(optional) 160 SIEM server 170 DNS server 180 firewall 200 enterprisenetwork with network surveillance 210 deception management server 211policy manager 212 deployment module 213 forensic application 220database of credential types 230 policy database 240 decoy servers 241tar-pit modules 242 forensic alert module 250 update server

Elements numbered in the 1000's are operations of flow charts.

DETAILED DESCRIPTION

In accordance with embodiments of the present invention, systems andmethods are provided for creating, deploying and managing augmentationto an attacker's current attack map. These systems and methods definedecoy attack vectors that change the current attack map, and detect theattacker when he follows an attack vector that leads to a decoy networknode.

Reference is made to FIG. 4, which is a simplified diagram of anenterprise network 200 with network surveillance, in accordance with anembodiment of the present invention. Network 200 includes a deceptionmanagement server 210, a database 220 of decoy attack vectors, a policydatabase 230 and decoy servers 240. In addition, network computers 110and databases 120 are grouped into groups G1, G2, G3 and G4.

Database 220 stores attack vectors that fake movement and access tocomputers 110, databases 120 and other resources in network 200. Attackvectors include inter alia:

user credentials of the form <username> <password>

user credentials of the form <username> <hash of password>

user credentials of the form <username> <ticket>

FTP server credentials of the form <address> <username> <password>

SSH server credentials of the form <address> <username> <password>

The attack vectors stored in database 220 are categorized by families,such as inter alia

F1—user credentials

F2—connections

F3—FTP logins

F4—SSH logins

F5—share names

F6—databases

F7—network devices

F8—URLs

F9—Remote Desktop Protocol (RDP)

F10—recent command

F11—scanners

Credentials for a computer B that reside on a computer A provide anattack vector for an attacker from computer A→computer B.

Database 220 communicates with an update server 250, which updatesdatabase 220 as attack vectors for accessing, manipulating and hoppingto computers evolve over time.

Policy database 230 stores, for each group of computers, G1, G2, . . . ,policies for planting decoy attack vectors in computers of that group.Each policy specifies decoy attack vectors that are planted in eachgroup, in accordance with attack vectors stored in database 220. Foruser credentials, the decoy attack vectors planted on a computer lead toanother resource in the network. For attack vectors to access an FTP orother server, the decoy attack vectors planted on a computer lead to adecoy server 240.

It will be appreciated by those skilled in the art the databases 220 and230 may be combined into a single database, or distributed over multipledatabases.

Deception management server 210 includes a policy manager 211, adeployment module 212, and a forensic application 213. Policy manager211 defines a decoy and response policy. The response policy definesdifferent decoy types, different decoy combinations, responseprocedures, notification services, and assignments of policies tospecific network nodes, network users, groups of nodes or users or both.Once policies are defined, they are stored in policy database 230 withthe defined assignments.

Deception management server 210 obtains the policies and theirassignments from policy database 230, and delivers them to appropriatenodes and groups. It than launches deployment module 212 to plant decoysin end points, servers, applications, routers, switches, relays andother entities in the network. Deployment module 212 plants each decoy,based on its type, in memory (RAM), disk, or in any other data orinformation storage area, as appropriate. Deployment module 212 plantsthe decoy attack vectors in such a way that the chances of a valid useraccessing the decoy attack vectors are low. Deployment module 212 may ormay not stay resident.

Forensic application 213 is a real-time application that is transmittedto a destination computer in the network, when a decoy attack vector isaccessed by a computer 110. When forensic application 213 is launched onthe destination computer, it identifies a process running within thatcomputer 110 that accessed that decoy attack vector, logs the activitiesperformed by the thus-identified process in a forensic report, andtransmits the forensic report to deception management server 210.

Once an attacker is detected, a “response procedure” is launched. Theresponse procedure includes inter alia various notifications to variousaddresses, and actions on a decoy server such as launching aninvestigation process, and isolating, shutting down and re-imaging oneor more network nodes. The response procedure collects informationavailable on one or more nodes that may help in identifying theattacker's attack acts, attention and progress.

Each decoy server 240 includes a tar-pit module 241, which is a processthat purposely delays incoming connections, thereby providing additionaltime for forensic application 213 to launch and log activities on acomputer 110 that is accessing the decoy server. Each decoy server 240also includes a forensic alert module 242, which alerts managementsystem 210 that an attacker is accessing the decoy server via a computer110 of the network, and causes deception management server 210 to sendforensic application 213 to the computer that is accessing the decoyserver. In an alternative embodiment of the present invention, decoyserver 240 may store forensic application 213, in which case decoyserver 240 may transmit forensic application 213 directly to thecomputer that is accessing the decoy server. In another alternativeembodiment of the present invention, deception management server 210 ordecoy server 240 may transmit forensic application 213 to a destinationcomputer other than the computer that is accessing the decoy server.

Notification servers (not shown) are notified when an attacker uses adecoy. The notification servers may discover this by themselves, or byusing information stored on access governor 150 and SIEM 160. Thenotification servers forward notifications, or results of processingmultiple notifications, to create notification time lines or such otheranalytics.

Reference is made to FIG. 5, which is a simplified flowchart of a method1100 for network surveillance and notification using decoy servers, inaccordance with an embodiment of the present invention. The flowchart ofFIG. 5 is divided into three columns. The leftmost column includesoperations performed by deception management server 210. The middlecolumn includes operations performed by a decoy server B that isaccessed from a computer A using decoy attack vectors. The rightmostcolumn includes operations performed by computer A.

At operation 1105, deployment module 212 plants decoy attack vectors incomputers 110 in accordance with the policies in database 230. Atoperation 1110 decoy server B recognizes that it is being accessed froma computer A via a decoy attack vector. At operation 1115, tar-pitmodule 241 of decoy server B delays access to data and resources ondecoy server B. The delaying performed at operation 1115 providesadditional time for decoy server B to send a request to deceptionmanagement server 210 to transmit forensic application 213 to computerA, and for computer A to receive and run forensic application 213. Atoperation 1120, decoy server B sends a request to deception managementserver 210, to transmit real-time forensic application 213 to computerA.

At operation 1125, deception management server 210 receives the requestsend by decoy server B, and at operation 1130 deception managementserver 210 transmits forensic application 213 to computer A.

At operation 1135, computer A receives forensic application 213 fromdeception management server 210, and launches the application. Atoperation 1140, forensic application 213 identifies a process, P,running on computer A that is accessing decoy server B. At operation1145, forensic application 213 logs activities performed by process P.At operation 1150, forensic application 213 transmits a forensic reportto deception management server 210. Finally, at operation 1155,deception management server 210 receives the forensic report fromcomputer A.

In accordance with an alternative embodiment of the present invention,decoy server B may store forensic application 213, in which case decoyserver B may transmit forensic application 213 directly to computer A,and operations 1120, 1125 and 1130 can be eliminated.

In accordance with another alternative embodiment of the presentinvention, forensic application 213 is transmitted by deceptionmanagement server 210 or by decoy server B to a destination computerother than computer A. When the destination computer launches forensicapplication 213, the application communicates with computer A toidentify the process, P, running on computer A that is accessing decoyserver B, log the activities performed by process P, and transmit theforensic report to deception management server 210

Reference is made to FIG. 6, which is a simplified method for networksurveillance and notification using decoy user credentials, inaccordance with an embodiment of the present invention. The flowchart ofFIG. 6 is divided into three columns. The leftmost column includesoperations performed by deception management server 210. The middlecolumn includes operations performed by access governor 150. Therightmost column includes operations performed by a computer A thatattempts to login to a computer B using decoy user credentials.

At operation 1205, deployment module 212 plants decoy credentials incomputers 110 in accordance with the policies in database 230. Atoperation 1210 access governor 150 receives an authorization requestfrom a computer B for a login to a computer A using invalid usercredentials. At operation 1215 access governor 150 reports the attemptedinvalid login to SIEM server 160.

At operation 1225, deception management server 210 identifies an invalidlogin attempt event reported by SIEM server 160, and at operation 1230deception management server 210 transmits real-time forensic application213 to computer A.

At operation 1235, computer A receives forensic application 213 fromdeception management server 210, and launches the application. Atoperation 1240, forensic application 213 identifies a process, P,running on computer A that is accessing computer B. At operation 1245,forensic application 213 logs activities performed by process P. Atoperation 1250, forensic application 213 transmits a forensic report todeception management server 210. Finally, at operation 1255, deceptionmanagement server 210 receives the forensic report from computer A.

In accordance with an alternative embodiment of the present invention,forensic application 213 is transmitted by deception management server210 to a destination computer other than computer A. When thedestination computer launches forensic application 213, the applicationcommunicates with computer A to identify the process, P, running oncomputer A that is accessing computer B, log the activities performed byprocess P, and transmit the forensic report to deception managementserver 210

As mentioned above, conventional honeypot systems generate many falsealerts. Embodiments of the present invention enhance confidence levelsin identifying an attacker, by luring him into multiple access attemptsto different resources monitored by the system.

Reference is made to FIG. 7, which is a simplified diagram of a methodfor network surveillance using two-factor deception, in accordance withan embodiment of the present invention. At operation 1310 an attackeraccesses a computer A of network 200. At operation 1320 the attackerobtains decoy credentials for accessing a computer B of network 200, thedecoy credentials being of the form <username> <hash>, where <hash> is ahash value of a cleartext password. The decoy credentials are preferablyplanted in computer A such that the chances of a valid user or automatedmonitor accessing the credentials are low.

At operation 1330 the attacker derives the cleartext password from<hash>. Operation 1330 may be performed by rainbow tables, which arepre-computed tables for reversing cryptographic hash functions. Atoperation 1340 the attacker attempts a login to computer B using thecleartext version of the decoy credentials <username> <cleartextpassword>. At this stage, the chances of such login being performed by avalid user or automated monitor are extremely low, since this loginrequires two suspicious factors; namely, (i) extracting the decoycredentials with the hash value of the cleartext password from computerA, and (ii) reversing the extracted hash value to obtain the cleartextpassword.

It will be appreciated by those skilled in the art that the two-factormethod shown in FIG. 7 can be extended to more than two factors bysuccessively planting a trail of decoy credentials that lead from onecomputer to the next.

In the foregoing specification, the invention has been described withreference to specific exemplary embodiments thereof. It will, however,be evident that various modifications and changes may be made to thespecific exemplary embodiments without departing from the broader spiritand scope of the invention. Accordingly, the specification and drawingsare to be regarded in an illustrative rather than a restrictive sense.

What is claimed is:
 1. A system for network surveillance to detectattackers, comprising: a deception management server within a network ofresources, comprising: a deployment processor managing and planting oneor more decoy attack vectors in one or more of the resources in thenetwork, wherein an attack vector is an object in memory or storage of afirst resource that may be used to access a second resource; and anotification processor; and one or more decoy servers accessible fromresources in the network, each decoy server comprising a forensic alertprocessor that issues an alert when a specific resource in the networkaccesses that decoy server via one or more of the decoy attack vectorsplanted in that specific resource by said deployment processor, thealert causing said deception management server to transmit a real-timeforensic application to the specific resource, wherein the forensicapplication, when launched in the specific resource, identifies aprocess running within the specific resource that is accessing thatdecoy server, logs the activities performed by the thus-identifiedprocess in a forensic report, and transmits the forensic report to saiddeception management server, wherein said notification processortransmits to a notification server a notification that a resource in thenetwork accessed a decoy server, and information in the forensic reportprovided by the forensic application, in response to said deceptionmanagement server receiving the forensic report.
 2. The system of claim1, further comprising an event monitor, recognizing an attempt by afirst resource in the network to access a second resource in the networkvia the decoy attack vectors planted by said deployment processor in thefirst resource, and causing, in response to the recognizing, thereal-time forensic application to be transmitted to the first resource.3. The system of claim 2 wherein said notification processor transmits anotification to the notification server, in response to said deceptionmanagement server receiving a forensic report from the forensicapplication running on the first resource.
 4. The system of claim 1wherein said deception management server further comprises a database ofattack vectors, and wherein the one or more decoy attack vectors plantedby said deployment processor are attack vectors in said database ofattack vectors.
 5. The system of claim 4, wherein the attack vectors insaid database of attack vectors include at least one member of (i)username and password, (ii) username and authentication ticket, (iii)FTP server address, username and password, (iv) database server address,username and password, and (v) SSH server address, username andpassword.
 6. The system of claim 4 further comprising an update servertransmitting, from time to time, updated attack vectors to said databaseof attack vectors.
 7. The system of claim 4, wherein the resources inthe network are grouped into multiple groups of resources, wherein saiddeception management server further comprises a database of policiesthat specify, for each group of resources on the network, one or moredecoy attack vectors to plant in that group of resources, from among theattack vectors in said database of attack vectors, and wherein saiddeployment processor plants the one or more decoy attack vectors in thegroups of resources in accordance with the database of policies.
 8. Thesystem of claim 1 wherein each decoy server further comprises a tar-pitprocessor, delaying access to data on the decoy server while a resourceaccesses that decoy server.
 9. A method of network surveillance todetect attackers, comprising: planting one or more decoy attack vectorsin one or more resources in a network of computers, wherein an attackvector is an object in memory or storage of a first resource that may beused to access a second resource; recognizing that a decoy server in thenetwork is being accessed by a specific resource in the network via oneor more of the decoy attack vectors planted in the specific resource bysaid planting; causing a real-time forensic application to betransmitted to the specific resource, wherein the forensic application,when launched on the specific resource, is operative to: identify aprocess running within the specific resource that is accessing the decoyserver; log the activities performed by the thus-identified process in aforensic report; and transmit the forensic report to a deceptionmanagement server; and transmitting to a notification server anotification that a resource in the network accessed a decoy server, andinformation in the forensic report provided by the forensic application,in response to the deception management server receiving the forensicreport.
 10. The method of claim 9 further comprising delaying access todata on the decoy server while the specific resource accesses the decoyserver.
 11. The method of claim 9 further comprising: recognizing anattempt by a first resource in the network to access a second resourcein the network via one or more of the decoy attack vectors planted inthe first resource by said planting; and causing the real-time forensicapplication to be transmitted to the first resource, in response to saidrecognizing.
 12. The method of claim 9, wherein the decoy attack vectorsinclude at least one member of (i) username and password, (ii) usernameand authentication ticket, (iii) FTP server address, username andpassword, (iv) database server address, username and password, and (v)SSH server address, username and password.
 13. A system for networksurveillance to detect attackers, the system comprising: a deceptionmanagement server within a network of resources that is governed by anaccess governor that authorizes users to access the resources in thenetwork based on user credentials, the deception management servercomprising: a deployment processor, planting one or more decoy usercredentials in one or more of the resources in the network; and anotification processor; and a forensic alert processor that issues analert when said access governor recognizes an attempt by a firstresource in the network to access a second resource in the network viaone or more of the decoy credentials planted in the first resource bysaid deployment processor, the alert causing said deception managementserver to transmit a real-time forensic application to the firstresource, wherein the forensic application, when launched in the firstresource, identifies a process running within the first resource that isattempting to access the second resource, logs the activities performedby the thus-identified process in a forensic report, and transmits theforensic report to said deception management server, wherein saidnotification processor transmits to a notification server a notificationthat the first resource attempted to access the second resource viadecoy credentials, and information in the forensic report provided bythe forensic application, in response to said deception managementserver receiving the forensic report.
 14. A method of networksurveillance to detect attackers, comprising: planting one or more decoyuser credentials in one or more resources in a network of resources thatis governed by an access governor that authorizes users to access theresources in the network based on user credentials; recognizing anattempt by a first resource in the network to access a second resourcein the network via one or more of the decoy user credentials planted inthe first resource by said planting; in response to said recognizing,causing a real-time forensic application to be transmitted to the firstresource, wherein the forensic application, when launched, is operativeto: identify a process running within the first resource that isaccessing the decoy server; log the activities performed by thethus-identified process; and transmit the log to a deception managementserver; and transmitting to a notification server a notification that aresource in the network accessed a decoy server, and information in theforensic report provided by the forensic application, in response to thedeception management server receiving the forensic report.